Security

Your secrets stay yours.

Sablefort is built so that your team's credentials are protected on your devices, in transit, and at rest — and so that we never see the plaintext. Here's how it works.

How Sablefort protects your data

A few principles guide every part of the product.

Encrypted on your device

Your vaults are encrypted locally by the Sablefort engine before anything syncs. What leaves your machine is already ciphertext.

Master password stays local

Your master password is used only on your device to unlock your vaults. It is never transmitted to us and never stored on our servers.

Per-item encryption

Every item is protected individually, so access is granted at the level of the vault and the item — not all-or-nothing across your whole account.

In transit and at rest

Protected end to end.

Your already-encrypted vaults travel over encrypted connections and are stored encrypted on our infrastructure. Because encryption happens on your device first, our servers only ever handle ciphertext — a "zero-knowledge" design where we can't read your secrets even if we wanted to.

Access & accountability

Control who sees what — and know who did.

Granular access controls

Assign members to vaults with view, edit, or share permissions. Connect SSO and SCIM so access follows your directory and is removed the moment someone leaves.

Audit logs

Views, edits, shares, and break-glass events are recorded to a searchable, exportable log so your security team can always answer who accessed what, and when.

Compliance

We hold ourselves to recognized standards and keep our practices documented.

  • SOC 2 Type II — audit in progress; our current report and status are available to customers on request.
  • GDPR — we support data subject requests and offer a Data Processing Addendum for customers in the EU and UK.
  • Access reviews — administrators can review vault membership and export access records at any time.
  • Data residency & retention — retention settings and regional options are available on Business and Enterprise plans.

Need our security documentation, subprocessor list, or a questionnaire completed? Talk to our team.

Report a vulnerability

We welcome reports from the security community and investigate every submission.

Found a potential security issue? Please reach out through our support portal with the details and steps to reproduce. We'll acknowledge your report, keep you updated, and credit researchers who help us keep Sablefort safe.